x86/tdx: Add command line option to disable TDX guest filter support

Add a kernel command line option to disable device filter support for
TDX guest platform. It is a debug feature.

When the device filer is disabled it's possible to load all kinds of
drivers. These drivers don't know how to use ioremap_host_shared to get
a shared mapping for MMIO. When trying to do MMIO on a non shared
mapping KVM gets an error, but it cannot inject an exception so it ends
up with a cryptic and hard to debug KVM error on the host with the
guest being killed.

Instead if the device filter is overridden, force all ioremaps to
shared. This works because the command line parsing is before any
ioremaps.

The drawback is that some structures that shouldn't really be shared
will be made shared too, mainly BIOS data structures that get mapped.

Reviewed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>

Documentation/admin-guide/kernel-parameters.txt

@@ -3499,6 +3499,10 @@
 	no5lvl		[X86-64] Disable 5-level paging mode. Forces
 			kernel to use 4-level paging instead.
 
+	noccfilter	[x86]
+			Disable Confidential computing (CC) guest filter
+			support.
+
 	nofsgsbase	[X86] Disables FSGSBASE instructions.
 
 	no_console_suspend

arch/x86/coco/core.c

@@ -16,15 +16,37 @@
 static enum cc_vendor vendor __ro_after_init;
 static u64 cc_mask __ro_after_init;
 
+/* Status of CC filter, enabled by default */
+static bool cc_filter_status = true;
+
+/* Command line parser to disable CC filter */
+static int __init setup_noccfilter(char *str)
+{
+	cc_filter_status = false;
+	return 1;
+}
+__setup("noccfilter", setup_noccfilter);
+
+void cc_set_filter_status(bool status)
+{
+	cc_filter_status = status;
+}
+
+bool cc_filter_enabled()
+{
+	return cc_filter_status;
+}
+
 static bool intel_cc_platform_has(enum cc_attr attr)
 {
 	switch (attr) {
 	case CC_ATTR_GUEST_UNROLL_STRING_IO:
 	case CC_ATTR_HOTPLUG_DISABLED:
 	case CC_ATTR_GUEST_MEM_ENCRYPT:
 	case CC_ATTR_MEM_ENCRYPT:
-	case CC_ATTR_GUEST_DEVICE_FILTER:
 		return true;
+	case CC_ATTR_GUEST_DEVICE_FILTER:
+		return cc_filter_status;
 	default:
 		return false;
 	}

arch/x86/coco/tdx/filter.c

@@ -196,6 +196,15 @@ void __init tdx_filter_init(void)
 	if (!cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER))
 		return;
 
+	if (cmdline_find_option_bool(boot_command_line, "noccfilter"))
+		cc_set_filter_status(false);
+
+	if (!cc_filter_enabled()) {
+		pr_info("Disabled TDX guest filter support\n");
+		add_taint(TAINT_CONF_NO_LOCKDOWN, LOCKDEP_STILL_OK);
+		return;
+	}
+
 	dev_default_authorization = false;
 
 	if (filter_overridden) {

arch/x86/coco/tdx/tdx.c

@@ -775,8 +775,6 @@ void __init tdx_early_init(void)
 	 */
 	physical_mask &= cc_mask - 1;
 
-	tdx_filter_init();
-
 	x86_platform.guest.enc_cache_flush_required = tdx_cache_flush_required;
 	x86_platform.guest.enc_tlb_flush_required   = tdx_tlb_flush_required;
 	x86_platform.guest.enc_status_change_finish = tdx_enc_status_changed;

arch/x86/include/asm/coco.h

@@ -17,6 +17,8 @@ void cc_set_mask(u64 mask);
 #ifdef CONFIG_ARCH_HAS_CC_PLATFORM
 u64 cc_mkenc(u64 val);
 u64 cc_mkdec(u64 val);
+void cc_set_filter_status(bool status);
+bool cc_filter_enabled(void);
 #else
 static inline u64 cc_mkenc(u64 val)
 {

arch/x86/kernel/head64.c

@@ -524,6 +524,8 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
 
 	copy_bootdata(__va(real_mode_data));
 
+	tdx_filter_init();
+
 	/*
 	 * Load microcode early on BSP.
 	 */